Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
40s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2024, 10:12
Behavioral task
behavioral1
Sample
39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
21 signatures
150 seconds
General
-
Target
39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe
-
Size
91KB
-
MD5
39771891331f0ec6459645875c89a1f1
-
SHA1
891f862a6972906e9d31b262c70435468d7b285e
-
SHA256
a037741500e627fb16d1a435cf0ea0e312c785065903028e03341cbb4f1f5f61
-
SHA512
07f96d42cf36b7adf3ae682ffde90eca7116b2f6b8264a32282a229c066e4b513b12952e852e5fdf85af7a5b89f65b45335e5faa19cd8f52fca43ba4be86b5b1
-
SSDEEP
1536:oy5vD03IfV4tM3z9mYzA8V9p39aag6tp38izscOIEALMu7HLrF/1o:o+7dwM3xmmjH3Txtp38XzIdLPfF
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" qnjetz.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" qnjetz.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" qnjetz.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qnjetz.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qnjetz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" qnjetz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qnjetz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qnjetz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qnjetz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qnjetz.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" qnjetz.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 9872 qnjetz.exe -
Executes dropped EXE 64 IoCs
pid Process 4628 akmqcn.exe 5076 eedfpehq.exe 4748 swvsdmi.exe 2572 dwypuw.exe 4940 zlnlnyei.exe 4172 gbnhufe.exe 1280 bqekuih.exe 3228 hqahwcsd.exe 3452 iiekclh.exe 748 fknca.exe 1700 gdqqcn.exe 3340 tsauotnp.exe 1712 ocyehf.exe 4648 vlubpflj.exe 4204 mjcpa.exe 244 cqubiwuh.exe 1592 zehkeltr.exe 368 fzltznm.exe 1048 gxqwtomx.exe 2420 nejra.exe 2904 kqmikdjc.exe 1148 jwxoufp.exe 3620 nxzoc.exe 208 vteguc.exe 1704 rpzwhqqf.exe 372 jjijzcmm.exe 2508 xjxfto.exe 2344 ardkjgy.exe 224 yxkrsnd.exe 2844 fiqxosb.exe 4780 oneolym.exe 2692 hilnqt.exe 4528 nzcvzroc.exe 4324 lgvvcnbw.exe 3440 bkysx.exe 920 ihzhm.exe 3632 orrxjxsg.exe 3348 yoyfoen.exe 2192 jlovezdq.exe 1104 micmljpc.exe 3096 bfdkpt.exe 1920 xkpmmka.exe 4952 krhlmz.exe 2352 igxchilj.exe 5432 brvyulw.exe 5472 qunudk.exe 5516 oxkuu.exe 5548 wqohc.exe 5580 yyxcfqc.exe 5612 hyhlb.exe 5644 fufbb.exe 5680 camqshd.exe 5716 fplnwyhu.exe 5748 djsms.exe 5780 wgzpjzo.exe 5812 gsqpsvme.exe 5848 mrokxt.exe 5880 fhimb.exe 5912 xhnwl.exe 5944 draseed.exe 5984 lgmqg.exe 6016 xtetyed.exe 6048 kieypsm.exe 6080 zrxdo.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" qnjetz.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc qnjetz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" qnjetz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" qnjetz.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" qnjetz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" qnjetz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" qnjetz.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\acpahgm.exe" rddxwmfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\trroadq.exe" yrpdw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dijiu.exe" crgtbmur.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dpgrlqc.exe" hqegvrbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\qeztde.exe" igxlxrhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\knicj.exe" bjuaw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zricc.exe" cbbmbvk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\paoosgrb.exe" uddmoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hqcfkj.exe" jukilrbr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fxgdzc.exe" nzrcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gwpgmfd.exe" ysonymo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dtyae.exe" rxiew.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vwhgbpj.exe" oaxpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ktutss.exe" begjus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nstekud.exe" zuntxe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\cuzbyyy.exe" fotxzmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vlexixp.exe" uywjt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\heddpk.exe" mhatnr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\vzqgzkz.exe" yjdnwop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sgfyfy.exe" cusiozqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\mrizorl.exe" mzhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\pgqmas.exe" wpcvfjsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xgjdg.exe" nexrfwyc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\cyaapn.exe" tpehyzry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xumfu.exe" qlwsyx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\tosggv.exe" jxkuww.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ihfknmx.exe" pyvdjw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zrxdo.exe" kieypsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zulvedbu.exe" qngxcefq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gdziy.exe" xnqvhve.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xhrtp.exe" iphvw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\crgtbmur.exe" awwrgju.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zevadpq.exe" gxijah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\lezdo.exe" sdgefrr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gbnhufe.exe" zlnlnyei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ttehq.exe" zrxdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\zimbjn.exe" lopcbsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ersfabf.exe" zvnuubzb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wfkozo.exe" xumfu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hguodj.exe" wvcqnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\hiyns.exe" xipxnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nxruzmbh.exe" bzavd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wpcvfjsr.exe" ehuxopfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\dwlqbfll.exe" bkemqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xkpmmka.exe" bfdkpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ywawxyb.exe" tiyawh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\jwlssm.exe" eavrlqy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bkemqh.exe" ipmjthjx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\iwpzpyal.exe" fmtqzl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\xprnuraw.exe" gdziy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ggomj.exe" fxjrwh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\igxchilj.exe" krhlmz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\mrokxt.exe" gsqpsvme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\fhimb.exe" mrokxt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\bybaqhq.exe" alrdayqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\yjdnwop.exe" eqhwhgx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\nbcbfa.exe" keyvhzem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\wgbgrkve.exe" ntfjdhta.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\tasopz.exe" gunuicxo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\gexdd.exe" dijiu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\ycuzf.exe" cweiqmdx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\sjwleku.exe" bqtrd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\pyvdjw.exe" jjtixgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service = "C:\\Windows\\system32\\leapvjvg.exe" fkwlfcp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qnjetz.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\L: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\R: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\T: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\U: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\W: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\G: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\S: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\X: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\Z: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\H: qnjetz.exe File opened (read-only) \??\G: qnjetz.exe File opened (read-only) \??\J: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\K: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\N: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\Q: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\V: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\Y: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\I: qnjetz.exe File opened (read-only) \??\E: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\H: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\M: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\O: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\P: 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened (read-only) \??\E: qnjetz.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\qlwsyx.exe iieigcw.exe File opened for modification C:\Windows\SysWOW64\xdispa.exe hlmptxly.exe File created C:\Windows\SysWOW64\ntfjdhta.exe labwpc.exe File created C:\Windows\SysWOW64\vevyqyni.exe qvrkp.exe File created C:\Windows\SysWOW64\fhimb.exe mrokxt.exe File opened for modification C:\Windows\SysWOW64\iieigcw.exe zicmugrh.exe File opened for modification C:\Windows\SysWOW64\zocucb.exe uwwmuqxi.exe File opened for modification C:\Windows\SysWOW64\fkwlfcp.exe xwkmdhc.exe File opened for modification C:\Windows\SysWOW64\rxiew.exe vbahdr.exe File opened for modification C:\Windows\SysWOW64\mzhma.exe nbcbfa.exe File created C:\Windows\SysWOW64\tsvngsnj.exe hmbqu.exe File created C:\Windows\SysWOW64\iwpzpyal.exe fmtqzl.exe File opened for modification C:\Windows\SysWOW64\ehuxopfh.exe cxpsa.exe File opened for modification C:\Windows\SysWOW64\zevadpq.exe gxijah.exe File opened for modification C:\Windows\SysWOW64\pgvnq.exe ymrtpkv.exe File opened for modification C:\Windows\SysWOW64\nbcbfa.exe keyvhzem.exe File created C:\Windows\SysWOW64\mzadq.exe mqsajww.exe File opened for modification C:\Windows\SysWOW64\fkqlnzz.exe mxqnattv.exe File created C:\Windows\SysWOW64\bfdkpt.exe micmljpc.exe File opened for modification C:\Windows\SysWOW64\htmcwqy.exe ttehq.exe File opened for modification C:\Windows\SysWOW64\nstekud.exe zuntxe.exe File opened for modification C:\Windows\SysWOW64\ewnag.exe knicj.exe File opened for modification C:\Windows\SysWOW64\sboxvzl.exe ypjegdrh.exe File created C:\Windows\SysWOW64\ktlnhyrv.exe imxwcg.exe File opened for modification C:\Windows\SysWOW64\gawiqlkr.exe vosrxmz.exe File opened for modification C:\Windows\SysWOW64\jrkrqwmi.exe tktwh.exe File created C:\Windows\SysWOW64\yybnv.exe wgbgrkve.exe File created C:\Windows\SysWOW64\hbkpmt.exe rmvdk.exe File opened for modification C:\Windows\SysWOW64\pfwtxziz.exe rzpmhni.exe File created C:\Windows\SysWOW64\vbahdr.exe pfwtxziz.exe File opened for modification C:\Windows\SysWOW64\gxidl.exe yybnv.exe File opened for modification C:\Windows\SysWOW64\yeshbwuy.exe nyntkpx.exe File created C:\Windows\SysWOW64\htmcwqy.exe ttehq.exe File opened for modification C:\Windows\SysWOW64\joxuhjpb.exe lukwk.exe File created C:\Windows\SysWOW64\kicds.exe turivmpc.exe File opened for modification C:\Windows\SysWOW64\oqfbspgx.exe zsqpynv.exe File opened for modification C:\Windows\SysWOW64\tsauotnp.exe gdqqcn.exe File created C:\Windows\SysWOW64\wgzpjzo.exe djsms.exe File opened for modification C:\Windows\SysWOW64\leapvjvg.exe fkwlfcp.exe File opened for modification C:\Windows\SysWOW64\kstid.exe fqgtay.exe File opened for modification C:\Windows\SysWOW64\eapla.exe ndxcu.exe File created C:\Windows\SysWOW64\zzyij.exe vxebfmld.exe File created C:\Windows\SysWOW64\pjgualjd.exe vejrtkrn.exe File opened for modification C:\Windows\SysWOW64\xipxnc.exe dhmtn.exe File created C:\Windows\SysWOW64\nlqxnm.exe cdhtely.exe File opened for modification C:\Windows\SysWOW64\hmbqu.exe jjpvto.exe File created C:\Windows\SysWOW64\tgojipy.exe rafad.exe File created C:\Windows\SysWOW64\akmqcn.exe 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\fqgtay.exe xensu.exe File opened for modification C:\Windows\SysWOW64\heddpk.exe mhatnr.exe File created C:\Windows\SysWOW64\iwwhaaz.exe bjtxpumu.exe File created C:\Windows\SysWOW64\jukilrbr.exe yeshbwuy.exe File created C:\Windows\SysWOW64\ttehq.exe zrxdo.exe File opened for modification C:\Windows\SysWOW64\szqybmy.exe xqkvotxy.exe File opened for modification C:\Windows\SysWOW64\rddxwmfd.exe snvhu.exe File created C:\Windows\SysWOW64\vrmlhsby.exe ftuqv.exe File opened for modification C:\Windows\SysWOW64\kdajkel.exe zdbtw.exe File opened for modification C:\Windows\SysWOW64\bqekuih.exe gbnhufe.exe File created C:\Windows\SysWOW64\rmvdk.exe wecau.exe File created C:\Windows\SysWOW64\cdhtely.exe wctsgc.exe File created C:\Windows\SysWOW64\djsms.exe fplnwyhu.exe File opened for modification C:\Windows\SysWOW64\krczfuon.exe iwpzpyal.exe File created C:\Windows\SysWOW64\camqshd.exe fufbb.exe File created C:\Windows\SysWOW64\jshrej.exe qeztde.exe -
resource yara_rule behavioral2/memory/3504-0-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/files/0x000d000000023b7c-6.dat upx behavioral2/memory/3504-5-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/3504-8-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/3504-11-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/3504-12-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/3504-14-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/5076-28-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3504-13-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/3504-9-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/3504-7-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/3504-10-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4748-34-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3504-30-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/3504-35-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/3504-45-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3504-44-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/4628-53-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/5076-60-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/4748-73-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3504-78-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/3504-79-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/2572-84-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/4648-92-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/4940-91-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/4172-100-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/1280-105-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3228-110-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3452-115-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/748-120-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/1700-125-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3340-130-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/1712-135-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/4648-140-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/4204-145-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/244-150-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/1592-155-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3504-157-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/368-161-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/1048-166-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/2420-171-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/2904-176-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/1148-181-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3620-185-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/208-188-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/1704-191-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/372-194-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/2508-197-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3504-198-0x00000000022D0000-0x000000000335E000-memory.dmp upx behavioral2/memory/2344-202-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/224-206-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/2844-209-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/4780-212-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/5076-215-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/2692-216-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/4528-219-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/4324-222-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3440-354-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/920-357-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3632-362-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3348-365-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/2192-368-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/1104-371-0x0000000031420000-0x0000000031441000-memory.dmp upx behavioral2/memory/3096-374-0x0000000031420000-0x0000000031441000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vteguc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language swvsdmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cusiozqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qeznzng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zehkeltr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language khcym.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uenrhfhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wyfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xjxfto.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbahdr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zoiqreil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language enfcym.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language athdqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wjqwnoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qtvnuny.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rpzwhqqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vwuguzh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uxoxmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nzrcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dijiu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language snjuhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hlmptxly.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xumfu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mtvviq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zpxdas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yxkrsnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wxovuaop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omkeqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csvugrpw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oxkuu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language begjus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hrkyx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dhmtn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ouvsaeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lopcbsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eocqrx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language juwbpy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lvfbuu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jpjlbt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nlqxnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language awjjaqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsauotnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ktpscm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znupgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fpazjolq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language puypx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irahfnzd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hqahwcsd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language okeez.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gsqpsvme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language woyjqho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pgcypj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jjtixgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dztisu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hqcfkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lfjhpksw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zicmugrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alywxebb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fkqsbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xsdzqld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vavhnvs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cavum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iiekclh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ysonymo.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 9872 qnjetz.exe 9872 qnjetz.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 4628 akmqcn.exe Token: SeDebugPrivilege 5076 eedfpehq.exe Token: SeDebugPrivilege 4748 swvsdmi.exe Token: SeDebugPrivilege 2572 dwypuw.exe Token: SeDebugPrivilege 4940 zlnlnyei.exe Token: SeDebugPrivilege 4172 gbnhufe.exe Token: SeDebugPrivilege 1280 bqekuih.exe Token: SeDebugPrivilege 3228 hqahwcsd.exe Token: SeDebugPrivilege 3452 iiekclh.exe Token: SeDebugPrivilege 748 fknca.exe Token: SeDebugPrivilege 1700 gdqqcn.exe Token: SeDebugPrivilege 3340 tsauotnp.exe Token: SeDebugPrivilege 1712 ocyehf.exe Token: SeDebugPrivilege 4648 vlubpflj.exe Token: SeDebugPrivilege 4204 mjcpa.exe Token: SeDebugPrivilege 244 cqubiwuh.exe Token: SeDebugPrivilege 1592 zehkeltr.exe Token: SeDebugPrivilege 368 fzltznm.exe Token: SeDebugPrivilege 1048 gxqwtomx.exe Token: SeDebugPrivilege 2420 nejra.exe Token: SeDebugPrivilege 2904 kqmikdjc.exe Token: SeDebugPrivilege 1148 jwxoufp.exe Token: SeDebugPrivilege 3620 nxzoc.exe Token: SeDebugPrivilege 208 vteguc.exe Token: SeDebugPrivilege 1704 rpzwhqqf.exe Token: SeDebugPrivilege 372 jjijzcmm.exe Token: SeDebugPrivilege 2508 xjxfto.exe Token: SeDebugPrivilege 2344 ardkjgy.exe Token: SeDebugPrivilege 224 yxkrsnd.exe Token: SeDebugPrivilege 2844 fiqxosb.exe Token: SeDebugPrivilege 4780 oneolym.exe Token: SeDebugPrivilege 2692 hilnqt.exe Token: SeDebugPrivilege 4528 nzcvzroc.exe Token: SeDebugPrivilege 4324 lgvvcnbw.exe Token: SeDebugPrivilege 3440 bkysx.exe Token: SeDebugPrivilege 920 ihzhm.exe Token: SeDebugPrivilege 3632 orrxjxsg.exe Token: SeDebugPrivilege 3348 yoyfoen.exe Token: SeDebugPrivilege 2192 jlovezdq.exe Token: SeDebugPrivilege 1104 micmljpc.exe Token: SeDebugPrivilege 3096 bfdkpt.exe Token: SeDebugPrivilege 1920 xkpmmka.exe Token: SeDebugPrivilege 4952 krhlmz.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe Token: SeDebugPrivilege 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3504 wrote to memory of 4628 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 86 PID 3504 wrote to memory of 4628 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 86 PID 3504 wrote to memory of 4628 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 86 PID 3504 wrote to memory of 784 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 8 PID 3504 wrote to memory of 792 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 9 PID 3504 wrote to memory of 332 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 13 PID 3504 wrote to memory of 2648 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 44 PID 3504 wrote to memory of 2660 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 45 PID 3504 wrote to memory of 2816 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 50 PID 3504 wrote to memory of 3368 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 56 PID 3504 wrote to memory of 3540 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 57 PID 3504 wrote to memory of 3764 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 58 PID 3504 wrote to memory of 3852 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 59 PID 3504 wrote to memory of 3912 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 60 PID 3504 wrote to memory of 4004 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 61 PID 3504 wrote to memory of 3424 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 62 PID 3504 wrote to memory of 2480 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 74 PID 3504 wrote to memory of 2232 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 76 PID 3504 wrote to memory of 5112 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 82 PID 3504 wrote to memory of 1620 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 83 PID 3504 wrote to memory of 2684 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 85 PID 3504 wrote to memory of 4628 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 86 PID 3504 wrote to memory of 4628 3504 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe 86 PID 4628 wrote to memory of 5076 4628 akmqcn.exe 87 PID 4628 wrote to memory of 5076 4628 akmqcn.exe 87 PID 4628 wrote to memory of 5076 4628 akmqcn.exe 87 PID 5076 wrote to memory of 4748 5076 eedfpehq.exe 89 PID 5076 wrote to memory of 4748 5076 eedfpehq.exe 89 PID 5076 wrote to memory of 4748 5076 eedfpehq.exe 89 PID 4748 wrote to memory of 2572 4748 swvsdmi.exe 90 PID 4748 wrote to memory of 2572 4748 swvsdmi.exe 90 PID 4748 wrote to memory of 2572 4748 swvsdmi.exe 90 PID 2572 wrote to memory of 4940 2572 dwypuw.exe 92 PID 2572 wrote to memory of 4940 2572 dwypuw.exe 92 PID 2572 wrote to memory of 4940 2572 dwypuw.exe 92 PID 4940 wrote to memory of 4172 4940 zlnlnyei.exe 93 PID 4940 wrote to memory of 4172 4940 zlnlnyei.exe 93 PID 4940 wrote to memory of 4172 4940 zlnlnyei.exe 93 PID 4172 wrote to memory of 1280 4172 gbnhufe.exe 94 PID 4172 wrote to memory of 1280 4172 gbnhufe.exe 94 PID 4172 wrote to memory of 1280 4172 gbnhufe.exe 94 PID 1280 wrote to memory of 3228 1280 bqekuih.exe 95 PID 1280 wrote to memory of 3228 1280 bqekuih.exe 95 PID 1280 wrote to memory of 3228 1280 bqekuih.exe 95 PID 3228 wrote to memory of 3452 3228 hqahwcsd.exe 96 PID 3228 wrote to memory of 3452 3228 hqahwcsd.exe 96 PID 3228 wrote to memory of 3452 3228 hqahwcsd.exe 96 PID 3452 wrote to memory of 748 3452 iiekclh.exe 97 PID 3452 wrote to memory of 748 3452 iiekclh.exe 97 PID 3452 wrote to memory of 748 3452 iiekclh.exe 97 PID 748 wrote to memory of 1700 748 fknca.exe 98 PID 748 wrote to memory of 1700 748 fknca.exe 98 PID 748 wrote to memory of 1700 748 fknca.exe 98 PID 1700 wrote to memory of 3340 1700 gdqqcn.exe 99 PID 1700 wrote to memory of 3340 1700 gdqqcn.exe 99 PID 1700 wrote to memory of 3340 1700 gdqqcn.exe 99 PID 3340 wrote to memory of 1712 3340 tsauotnp.exe 100 PID 3340 wrote to memory of 1712 3340 tsauotnp.exe 100 PID 3340 wrote to memory of 1712 3340 tsauotnp.exe 100 PID 1712 wrote to memory of 4648 1712 ocyehf.exe 101 PID 1712 wrote to memory of 4648 1712 ocyehf.exe 101 PID 1712 wrote to memory of 4648 1712 ocyehf.exe 101 PID 4648 wrote to memory of 4204 4648 vlubpflj.exe 102 PID 4648 wrote to memory of 4204 4648 vlubpflj.exe 102 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" qnjetz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2660
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2816
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\39771891331f0ec6459645875c89a1f1_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3504 -
C:\Windows\SysWOW64\akmqcn.exeC:\Windows\system32\akmqcn.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\eedfpehq.exeC:\Windows\system32\eedfpehq.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\swvsdmi.exeC:\Windows\system32\swvsdmi.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\dwypuw.exeC:\Windows\system32\dwypuw.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\zlnlnyei.exeC:\Windows\system32\zlnlnyei.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\gbnhufe.exeC:\Windows\system32\gbnhufe.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\bqekuih.exeC:\Windows\system32\bqekuih.exe9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\hqahwcsd.exeC:\Windows\system32\hqahwcsd.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\iiekclh.exeC:\Windows\system32\iiekclh.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\fknca.exeC:\Windows\system32\fknca.exe12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\gdqqcn.exeC:\Windows\system32\gdqqcn.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\tsauotnp.exeC:\Windows\system32\tsauotnp.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Windows\SysWOW64\ocyehf.exeC:\Windows\system32\ocyehf.exe15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\vlubpflj.exeC:\Windows\system32\vlubpflj.exe16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\mjcpa.exeC:\Windows\system32\mjcpa.exe17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4204 -
C:\Windows\SysWOW64\cqubiwuh.exeC:\Windows\system32\cqubiwuh.exe18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:244 -
C:\Windows\SysWOW64\zehkeltr.exeC:\Windows\system32\zehkeltr.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\SysWOW64\fzltznm.exeC:\Windows\system32\fzltznm.exe20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:368 -
C:\Windows\SysWOW64\gxqwtomx.exeC:\Windows\system32\gxqwtomx.exe21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1048 -
C:\Windows\SysWOW64\nejra.exeC:\Windows\system32\nejra.exe22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\SysWOW64\kqmikdjc.exeC:\Windows\system32\kqmikdjc.exe23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\SysWOW64\jwxoufp.exeC:\Windows\system32\jwxoufp.exe24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1148 -
C:\Windows\SysWOW64\nxzoc.exeC:\Windows\system32\nxzoc.exe25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3620 -
C:\Windows\SysWOW64\vteguc.exeC:\Windows\system32\vteguc.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:208 -
C:\Windows\SysWOW64\rpzwhqqf.exeC:\Windows\system32\rpzwhqqf.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Windows\SysWOW64\jjijzcmm.exeC:\Windows\system32\jjijzcmm.exe28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:372 -
C:\Windows\SysWOW64\xjxfto.exeC:\Windows\system32\xjxfto.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\SysWOW64\ardkjgy.exeC:\Windows\system32\ardkjgy.exe30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\SysWOW64\yxkrsnd.exeC:\Windows\system32\yxkrsnd.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:224 -
C:\Windows\SysWOW64\fiqxosb.exeC:\Windows\system32\fiqxosb.exe32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844 -
C:\Windows\SysWOW64\oneolym.exeC:\Windows\system32\oneolym.exe33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4780 -
C:\Windows\SysWOW64\hilnqt.exeC:\Windows\system32\hilnqt.exe34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692 -
C:\Windows\SysWOW64\nzcvzroc.exeC:\Windows\system32\nzcvzroc.exe35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528 -
C:\Windows\SysWOW64\lgvvcnbw.exeC:\Windows\system32\lgvvcnbw.exe36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324 -
C:\Windows\SysWOW64\bkysx.exeC:\Windows\system32\bkysx.exe37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440 -
C:\Windows\SysWOW64\ihzhm.exeC:\Windows\system32\ihzhm.exe38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Windows\SysWOW64\orrxjxsg.exeC:\Windows\system32\orrxjxsg.exe39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632 -
C:\Windows\SysWOW64\yoyfoen.exeC:\Windows\system32\yoyfoen.exe40⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3348 -
C:\Windows\SysWOW64\jlovezdq.exeC:\Windows\system32\jlovezdq.exe41⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\SysWOW64\micmljpc.exeC:\Windows\system32\micmljpc.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1104 -
C:\Windows\SysWOW64\bfdkpt.exeC:\Windows\system32\bfdkpt.exe43⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3096 -
C:\Windows\SysWOW64\xkpmmka.exeC:\Windows\system32\xkpmmka.exe44⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920 -
C:\Windows\SysWOW64\krhlmz.exeC:\Windows\system32\krhlmz.exe45⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4952 -
C:\Windows\SysWOW64\igxchilj.exeC:\Windows\system32\igxchilj.exe46⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\brvyulw.exeC:\Windows\system32\brvyulw.exe47⤵
- Executes dropped EXE
PID:5432 -
C:\Windows\SysWOW64\qunudk.exeC:\Windows\system32\qunudk.exe48⤵
- Executes dropped EXE
PID:5472 -
C:\Windows\SysWOW64\oxkuu.exeC:\Windows\system32\oxkuu.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5516 -
C:\Windows\SysWOW64\wqohc.exeC:\Windows\system32\wqohc.exe50⤵
- Executes dropped EXE
PID:5548 -
C:\Windows\SysWOW64\yyxcfqc.exeC:\Windows\system32\yyxcfqc.exe51⤵
- Executes dropped EXE
PID:5580 -
C:\Windows\SysWOW64\hyhlb.exeC:\Windows\system32\hyhlb.exe52⤵
- Executes dropped EXE
PID:5612 -
C:\Windows\SysWOW64\fufbb.exeC:\Windows\system32\fufbb.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5644 -
C:\Windows\SysWOW64\camqshd.exeC:\Windows\system32\camqshd.exe54⤵
- Executes dropped EXE
PID:5680 -
C:\Windows\SysWOW64\fplnwyhu.exeC:\Windows\system32\fplnwyhu.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5716 -
C:\Windows\SysWOW64\djsms.exeC:\Windows\system32\djsms.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5748 -
C:\Windows\SysWOW64\wgzpjzo.exeC:\Windows\system32\wgzpjzo.exe57⤵
- Executes dropped EXE
PID:5780 -
C:\Windows\SysWOW64\gsqpsvme.exeC:\Windows\system32\gsqpsvme.exe58⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5812 -
C:\Windows\SysWOW64\mrokxt.exeC:\Windows\system32\mrokxt.exe59⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5848 -
C:\Windows\SysWOW64\fhimb.exeC:\Windows\system32\fhimb.exe60⤵
- Executes dropped EXE
PID:5880 -
C:\Windows\SysWOW64\xhnwl.exeC:\Windows\system32\xhnwl.exe61⤵
- Executes dropped EXE
PID:5912 -
C:\Windows\SysWOW64\draseed.exeC:\Windows\system32\draseed.exe62⤵
- Executes dropped EXE
PID:5944 -
C:\Windows\SysWOW64\lgmqg.exeC:\Windows\system32\lgmqg.exe63⤵
- Executes dropped EXE
PID:5984 -
C:\Windows\SysWOW64\xtetyed.exeC:\Windows\system32\xtetyed.exe64⤵
- Executes dropped EXE
PID:6016 -
C:\Windows\SysWOW64\kieypsm.exeC:\Windows\system32\kieypsm.exe65⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6048 -
C:\Windows\SysWOW64\zrxdo.exeC:\Windows\system32\zrxdo.exe66⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:6080 -
C:\Windows\SysWOW64\ttehq.exeC:\Windows\system32\ttehq.exe67⤵
- Drops file in System32 directory
PID:6112 -
C:\Windows\SysWOW64\htmcwqy.exeC:\Windows\system32\htmcwqy.exe68⤵PID:3344
-
C:\Windows\SysWOW64\mneiz.exeC:\Windows\system32\mneiz.exe69⤵PID:3128
-
C:\Windows\SysWOW64\ypjegdrh.exeC:\Windows\system32\ypjegdrh.exe70⤵
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\sboxvzl.exeC:\Windows\system32\sboxvzl.exe71⤵PID:4568
-
C:\Windows\SysWOW64\frnov.exeC:\Windows\system32\frnov.exe72⤵PID:428
-
C:\Windows\SysWOW64\ifclwly.exeC:\Windows\system32\ifclwly.exe73⤵PID:2252
-
C:\Windows\SysWOW64\crcsof.exeC:\Windows\system32\crcsof.exe74⤵PID:4472
-
C:\Windows\SysWOW64\ptrriulc.exeC:\Windows\system32\ptrriulc.exe75⤵PID:2488
-
C:\Windows\SysWOW64\lukwk.exeC:\Windows\system32\lukwk.exe76⤵
- Drops file in System32 directory
PID:5380 -
C:\Windows\SysWOW64\joxuhjpb.exeC:\Windows\system32\joxuhjpb.exe77⤵PID:5388
-
C:\Windows\SysWOW64\nzrcb.exeC:\Windows\system32\nzrcb.exe78⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5328 -
C:\Windows\SysWOW64\fxgdzc.exeC:\Windows\system32\fxgdzc.exe79⤵PID:5352
-
C:\Windows\SysWOW64\cbbmbvk.exeC:\Windows\system32\cbbmbvk.exe80⤵
- Adds Run key to start application
PID:5448 -
C:\Windows\SysWOW64\zricc.exeC:\Windows\system32\zricc.exe81⤵PID:5512
-
C:\Windows\SysWOW64\xwkmdhc.exeC:\Windows\system32\xwkmdhc.exe82⤵
- Drops file in System32 directory
PID:5592 -
C:\Windows\SysWOW64\fkwlfcp.exeC:\Windows\system32\fkwlfcp.exe83⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:5688 -
C:\Windows\SysWOW64\leapvjvg.exeC:\Windows\system32\leapvjvg.exe84⤵PID:5788
-
C:\Windows\SysWOW64\tpehyzry.exeC:\Windows\system32\tpehyzry.exe85⤵
- Adds Run key to start application
PID:5860 -
C:\Windows\SysWOW64\cyaapn.exeC:\Windows\system32\cyaapn.exe86⤵PID:5952
-
C:\Windows\SysWOW64\xjuyh.exeC:\Windows\system32\xjuyh.exe87⤵PID:6028
-
C:\Windows\SysWOW64\alrdayqa.exeC:\Windows\system32\alrdayqa.exe88⤵
- Adds Run key to start application
PID:6120 -
C:\Windows\SysWOW64\bybaqhq.exeC:\Windows\system32\bybaqhq.exe89⤵PID:540
-
C:\Windows\SysWOW64\lfjhpksw.exeC:\Windows\system32\lfjhpksw.exe90⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\sqyjomha.exeC:\Windows\system32\sqyjomha.exe91⤵PID:2716
-
C:\Windows\SysWOW64\cusiozqm.exeC:\Windows\system32\cusiozqm.exe92⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Windows\SysWOW64\sgfyfy.exeC:\Windows\system32\sgfyfy.exe93⤵PID:5184
-
C:\Windows\SysWOW64\crlfaacc.exeC:\Windows\system32\crlfaacc.exe94⤵PID:4688
-
C:\Windows\SysWOW64\turivmpc.exeC:\Windows\system32\turivmpc.exe95⤵
- Drops file in System32 directory
PID:5404 -
C:\Windows\SysWOW64\kicds.exeC:\Windows\system32\kicds.exe96⤵PID:5588
-
C:\Windows\SysWOW64\puypx.exeC:\Windows\system32\puypx.exe97⤵
- System Location Discovery: System Language Discovery
PID:5808 -
C:\Windows\SysWOW64\ulfkfhb.exeC:\Windows\system32\ulfkfhb.exe98⤵PID:6024
-
C:\Windows\SysWOW64\fotxzmc.exeC:\Windows\system32\fotxzmc.exe99⤵
- Adds Run key to start application
PID:384 -
C:\Windows\SysWOW64\cuzbyyy.exeC:\Windows\system32\cuzbyyy.exe100⤵PID:5072
-
C:\Windows\SysWOW64\lbbcgwiz.exeC:\Windows\system32\lbbcgwiz.exe101⤵PID:5344
-
C:\Windows\SysWOW64\yvlngunx.exeC:\Windows\system32\yvlngunx.exe102⤵PID:5888
-
C:\Windows\SysWOW64\lopcbsm.exeC:\Windows\system32\lopcbsm.exe103⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3704 -
C:\Windows\SysWOW64\zimbjn.exeC:\Windows\system32\zimbjn.exe104⤵PID:4924
-
C:\Windows\SysWOW64\xlizzxw.exeC:\Windows\system32\xlizzxw.exe105⤵PID:6172
-
C:\Windows\SysWOW64\ysonymo.exeC:\Windows\system32\ysonymo.exe106⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:6204 -
C:\Windows\SysWOW64\gwpgmfd.exeC:\Windows\system32\gwpgmfd.exe107⤵PID:6236
-
C:\Windows\SysWOW64\mmdbrem.exeC:\Windows\system32\mmdbrem.exe108⤵PID:6268
-
C:\Windows\SysWOW64\qngxcefq.exeC:\Windows\system32\qngxcefq.exe109⤵
- Adds Run key to start application
PID:6300 -
C:\Windows\SysWOW64\zulvedbu.exeC:\Windows\system32\zulvedbu.exe110⤵PID:6332
-
C:\Windows\SysWOW64\zvnuubzb.exeC:\Windows\system32\zvnuubzb.exe111⤵
- Adds Run key to start application
PID:6364 -
C:\Windows\SysWOW64\ersfabf.exeC:\Windows\system32\ersfabf.exe112⤵PID:6396
-
C:\Windows\SysWOW64\faeijeq.exeC:\Windows\system32\faeijeq.exe113⤵PID:6428
-
C:\Windows\SysWOW64\uywjt.exeC:\Windows\system32\uywjt.exe114⤵
- Adds Run key to start application
PID:6460 -
C:\Windows\SysWOW64\vlexixp.exeC:\Windows\system32\vlexixp.exe115⤵PID:6492
-
C:\Windows\SysWOW64\updddq.exeC:\Windows\system32\updddq.exe116⤵PID:6524
-
C:\Windows\SysWOW64\xensu.exeC:\Windows\system32\xensu.exe117⤵
- Drops file in System32 directory
PID:6556 -
C:\Windows\SysWOW64\fqgtay.exeC:\Windows\system32\fqgtay.exe118⤵
- Drops file in System32 directory
PID:6596 -
C:\Windows\SysWOW64\kstid.exeC:\Windows\system32\kstid.exe119⤵PID:6636
-
C:\Windows\SysWOW64\kcwofb.exeC:\Windows\system32\kcwofb.exe120⤵PID:6668
-
C:\Windows\SysWOW64\spfvshtc.exeC:\Windows\system32\spfvshtc.exe121⤵PID:6704
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-